Cloud Incident Response Blog | Cado Security

Decoding Logs in the Cloud: GCP Admin Activity Logs

Written by Calum Hall | Aug 19, 2024 11:15:00 AM

As we continue our "Decoding Logs in the Cloud" series, we've explored logs from AWS and Azure, focusing on different aspects of cloud infrastructure monitoring. In this installment, we'll delve into GCP (Google Cloud Platform) Admin Activity Logs, crucial for maintaining security and transparency in your Google Cloud environment.

 

What are GCP Admin Activity Logs?

GCP Admin Activity Logs provide a detailed record of administrative activities within your GCP projects. These logs capture actions that modify the configuration or metadata of resources, such as creating or deleting virtual machines, changing permissions, and updating network configurations. Admin Activity Logs are part of Google Cloud's Cloud Audit Logs, which also include Data Access Logs and System Event Logs.

Importance of GCP Admin Activity Logs

GCP Admin Activity Logs are essential for:

Security Monitoring: Detecting unauthorized access and changes to resources.

Compliance: Ensuring adherence to regulatory requirements by maintaining detailed logs of administrative actions.

Troubleshooting: Investigating and resolving operational issues by analyzing historical administrative activities.

Operational Insights: Monitoring changes to resources for better management and understanding of your cloud environment.

Structure of GCP Admin Activity Logs

GCP Admin Activity Logs are JSON-formatted records that include various fields providing detailed information about each logged event. Here are the primary components:

  • logName: The resource name of the log.
  • resource: The monitored resource that produced the log entry.
  • protoPayload: The payload of the log entry, containing detailed information about the event.
    • @type: The type of log entry.
    • methodName: The name of the API method that was invoked.
    • authenticationInfo: Information about the authenticated user who made the request.
    • requestMetadata: Metadata about the request.
    • serviceName: The name of the API service that handled the request.
    • resourceName: The resource or collection that is the target of the request.
    • request: The actual request object.
    • response: The response object, if applicable.
  • severity: The severity level of the log entry (e.g., INFO, WARNING, ERROR).
  • timestamp: The timestamp of the event.
  • receiveTimestamp: The time the log entry was received by Cloud Logging.
  • labels: Additional labels associated with the log entry.

 

Example of a GCP Admin Activity Log Entry

Here is an example of an Admin Activity Log entry for reference:

{

  "logName": "projects/my-project/logs/cloudaudit.googleapis.com%2Factivity",

  "resource": {

    "type": "gce_instance",

    "labels": {

      "instance_id": "1234567890123456789",

      "project_id": "my-project",

      "zone": "us-central1-a"

    }

  },

  "protoPayload": {

    "@type": "type.googleapis.com/google.cloud.audit.AuditLog",

    "methodName": "v1.compute.instances.insert",

    "authenticationInfo": {

      "principalEmail": "user@example.com"

    },

    "requestMetadata": {

      "callerIp": "203.0.113.0",

      "callerSuppliedUserAgent": "google-cloud-sdk"

    },

    "serviceName": "compute.googleapis.com",

    "resourceName": "projects/my-project/zones/us-central1-a/instances/my-instance",

    "request": {

      "insert": {

        "name": "my-instance",

        "machineType": "zones/us-central1-a/machineTypes/n1-standard-1",

        "disks": [

          {

            "boot": true,

            "initializeParams": {

              "sourceImage": "projects/debian-cloud/global/images/family/debian-9"

            }

          }

        ],

        "networkInterfaces": [

          {

            "network": "global/networks/default"

          }

        ]

      }

    }

  },

  "severity": "INFO",

  "timestamp": "2023-07-21T19:23:45Z",

  "receiveTimestamp": "2023-07-21T19:23:46Z",

  "labels": {

    "compute.googleapis.com/resource_name": "projects/my-project/zones/us-central1-a/instances/my-instance"

  }

}

Analyzing GCP Admin Activity Logs

To effectively utilize GCP Admin Activity Logs, you can:

  1. Centralize Logging: Store logs in Cloud Logging for centralized access and analysis.
  2. Automate Monitoring: Set up alerts and automated responses using Google Cloud Monitoring to detect and respond to specific log events.
  3. Visualize Data: Use Google Cloud's built-in visualization tools or third-party solutions like BigQuery and Data Studio to gain insights from your logs.

The Cado Platform

Cado Security empowers security teams to get to the bottom of what happened faster. With Cado, what used to take analysts days, now takes minutes. Automate data collection. Process data at cloud speed. Analyze with purpose. No confusion, no complexity.

Collect From Anywhere: whether it's a multi-cloud, container-based, serverless, SaaS, or on-premises set up. Automatically capture hundreds of data sources across cloud-provider logs, disk, memory, and more. No agent required means zero impact to production systems.

Cloud Native: Cado deploys natively within your cloud environment to ensure your unique data privacy requirements are met. You choose: deploy in AWS, GovCloud, Azure, or GCP in minutes, decreasing time to investigation and eliminating egress costs.

Powerful Analytics: Collected data is enriched using third-party and proprietary threat intelligence. Key incident details such as root cause, compromised roles and assets, and a complete timeline of events are automatically surfaced. 

 

GCP Admin Activity Logs provide detailed insights into administrative activities within your Google Cloud environment. By understanding their structure and significance, you can enhance your cloud infrastructure's security, compliance, and operational efficiency. In the next blog of this series, we'll explore another type of cloud log and continue our journey into decoding logs in the cloud.